अष्टाध्यायी


माहेश्वर सूत्र

॥ अइउण् । ऋऌक् । एओङ् । ऐऔच् ।
हयवरट् । लण् । ञमङणनम् । झभञ् ।
घढधष् । जबगडदश् । खफछठथचटतव् ।
कपय् । शषसर् । हल् ॥

१. अइउण्।
२. ऋऌक्।
३. एओङ्।
४. ऐऔच्।
५. हयवरट्।
६. लण्।
७. ञमङणनम्।
८. झभञ्।
९. घढधष्।
१०. जबगडदश्।
११. खफछठथचटतव्।
१२. कपय्।
१३. शषसर्।
१४. हल्।

प्रत्याहार
अण्अण्इण्यण्अक्इक्उक्एङ्अच्इच्एच्ऐच्अट्अम्
अल्यम्ङम्ञम्यञ्झष्भष्अश्हश्वश्झश्जश्बश्छव्
यय्मय्झय्खय्चय्यर्झर्चर्शर्हल्वल्रल्झल्
====================================================
पाणिनीय व्याकरण = 
अष्टाध्यायी  by महर्षि पाणिनि 
+
वार्तिक  by महामुनि कात्यायन 
+
महाभाष्य  by पतंजलि 

Later on:

सिद्धान्तकौमुदी by भट्टोजिदीक्षित
लघुसिद्धान्तकौमुदी by वरदराज 
====================================================
पाणिनीय व्याकरण = 
अष्टाध्यायी (4000)
+
शिवसूत्र या माहेश्वर सूत्र (14) 
+
धातुपाठ (2000)
+
गणपाठ (261)
====================================================
What is Sutra?

अल्पाक्षरमसान्दीग्धं साखद्विश्वतो मुखम् ।
अदुष्टमनवद्यञ्च सूत्रं सूत्रविदो विदुः ।। इति ।

1. स्वल्पाक्षरम् having minimal number of letters

2. असंदिग्धम् clear, non-confusing

3. सारवत्‌ containing the essential, summary

4. विश्वतोमुखम् unto the universe, universal, omnipresent

5. अस्तोभम्  non-stoppable, eternal

6. अनवद्यम् not unspeakable, hence speakable, worth quoting

====================================================
अष्टाध्यायी 

Types of Sutra 

संज्ञा च परिभाषा च विधिर्नियम एव च।
अतिदेशोऽधिकारश्च षड्विधम् सूत्रं मतम् ॥

(१) संज्ञा सूत्र (total 91) :
नामकरणं संज्ञा - तकनीकी शब्दों का नामकरण।
E.g.
वृद्धिरादैच् 1।1।1
शेषो घ्यसखि 1|4|7
Most of them are present in 1st chapter or 2nd chapter 

(२) परिभाषा सूत्र (total 23) :
अनियमे नियमकारिणी परिभाषा।
E.g.
In त्यदादीनाम् अ: 7|2|102
परिभाषासूत्रम् called अलोऽन्त्यस्य 1|1|52 is परिभाषा सूत्र 
Most of them are present in 1st chapter or 2nd chapter 

(३) विधि सूत्र :
कर्तव्यत्वेनोपदेशो विधि:
विषय का विधान।
E.g.
इको यण् अचि 6।1।77
नलोप: प्रातिपदिकान्तस्य 8|2|7

(४) नियम सूत्र :
बहुत्र प्राप्तौ संकोचनं नियमः
बहुत्र प्राप्तो संकोचनं हेतु।
E.g.
पति: समास एव 1|4|8

(५) अतिदेश सूत्र : (total 35)
अन्यतुल्यत्वविधानम् अतिदेश:
जो अपने गुणधर्म को दूसरे सूत्रों पर लागू करते हैं। 
E.g.
तृज्वत् क्रोष्टुः 7|1|95

(६) अधिकार सूत्र : (total 74)
उत्तरप्रकरणव्यापी अधिकारः
एकत्र उपात्तस्य अन्यत्र व्यापारः अधिकारः। 
E.g.
प्रत्यय: 3।1।1
====================================================
अष्टाध्यायी 
8 x 4 x (38 to 200) = around 4000


1. The first two chapters primarily focus on new rules and definitions that will be used across all other chapters, and also sutras that talk about formation of प्रातिपदिकs, sutra that talk about deciding  पद धातु
2. The third chapter gives all the प्रत्यया: that can be attached to a धातु. This list sequentially includes the twelve सनादिप्रत्यया:, followed by विकरणप्रत्यया:, then कृत्-प्रत्यया:, then तिङ्-प्रत्यया: and finally the आदेशा: that happen to various लकारा:.
3. The fourth and the fifth chapters enumerate all the प्रत्यया: that can be attached to a प्रातिपदिकम् । This included the स्त्रीप्रत्यया:, सुप्-प्रत्यया: and the  तद्धितप्रत्यया: ।
4. The Sixth chapter and the seventh chapter contain the rules (सन्धि / आदेश / transformation etc) pertaining to how a प्रत्यय should be attached to the अङ्ग.
5. Finally, the eighth chapter lists the rules regarding what happens after a complete पद is formed. It includes rules regarding णत्व, षत्व, श्चुत्व, जश्त्व, विसर्गलोप and so on.

The detailed division of all 32 paads with important topics in them is as follows -

1.1
संज्ञाप्रकरणम्
1.2
अतिदेशप्रकरणम्, एकश्रुतिप्रकरणम्, वचननिर्धारणम्, एकशेषप्रकरणम्
1.3
इत्संज्ञाप्रकरणम्, धातुपदनिर्णय:
1.4
एकसंज्ञाप्रकरणम्, कारकप्रकरणम्, निपातप्रकरणम्, कर्मप्रवचनीयप्रकरणम्
2.1
अव्ययीभावसमास:, तत्पुरुषसमास:,
2.2
बहुव्रीहिसमास:, द्वन्द्वसमास:, पूर्वनिपात-परनिपातप्रकरणम्
2.3
 विभक्तिनिर्णय:
2.4
समासानां लिङ्गवचननिर्धारणम्, लुक्-प्रकरणम्
3.1 to 3.4
धातुभ्य: विहिता: सर्वे प्रत्यया:
Chapters 4 and 5
प्रातिपदिकेभ्य: विहिता: सर्वे प्रत्यया:
6.1
द्वित्वप्रकरणम्, सम्प्रसारणप्रकरणम्, आत्वप्रकरणम्, अच्सन्धिप्रकरणम्, स्वरप्रकरणम्
6.2
स्वरप्रकरणम्
6.3
उत्तरपदाधिकार, संहिताधिकार
6.4
, असिद्धवदधिकार, आर्धधातुकप्रकरणम्, भाधिकार
7.1
प्रत्ययादेशा:
7.2
इडागमप्रकरणम्, सार्वधातुके परे अङ्गकार्याणि
7.3
 सार्वधातुके परे अङ्गकार्याणि, विभक्तिप्रत्यये परे अङ्गकार्याणि
7.4
अङ्गकार्याणि, अभ्यासकार्याणि
8.1
द्विरुक्तप्रकरणम्, पदाधिकार
8.2
लोपकार्याणि, झलिपदान्ते कार्याणि, प्लुताधिकार, संहिताधिकार,
8.3
रुत्वम्, आदेशा:, आगमा:, षत्वम्
8.4
णत्वम्, हल्सन्धय:


Reference:

https://docs.google.com/document/d/e/2PACX-1vRVI2PN33awPw5n_1u0_iftvygDxOCck6PZzWmys76XJlKH4Hl12Cr5j-46d0wcq6TaslYKM_MzI1tm/pub 

https://docs.google.com/document/d/e/2PACX-1vQ_G9OqsoFptuSJUSkNjN6JWW3HDPglFX-khXDd4u2a0TFbnBW0b9zgCKwdTe0xIdFCbH7lQZj0eVGs/pub

https://slabhyankar.wordpress.com/category/learning-sanskrit-by-fresh-approach/lessons-111-120/lesson-119/ 

https://ashtadhyayi.com/

https://sa.wikipedia.org/wiki/%E0%A4%85%E0%A4%B7%E0%A5%8D%E0%A4%9F%E0%A4%BE%E0%A4%A7%E0%A5%8D%E0%A4%AF%E0%A4%BE%E0%A4%AF%E0%A5%80

Tmux


Tmux is like GNU Screen. Very useful tool to store your ongoing SSH/Putty terminal by attach/detach. We can have multiple session from single command prompt. It is recommended to use at CKA/CKAD exam, where you need to deal with multiple clusters.

Here are relevant URLs

http://alvinalexander.com/downloads/linux/tmux-cheat-sheet.pdf
http://alvinalexander.com/linux-unix/tmux-cheat-sheet-commands-pdf/
https://leanpub.com/the-tao-of-tmux/read
https://pragprog.com/titles/bhtmux2/
https://www.hamvocke.com/blog/a-guide-to-customizing-your-tmux-conf/
https://man7.org/linux/man-pages/man1/tmux.1.html

RBAC in K8s


RBAC is all about

Can "Subject" "Verb" "Object" at "Location"

K8s admission controller extracts following from the incoming request to K8s API server

1. HTTP Method. It can derive verb. E.g. POST is mapped with create. VERB

2. From URI extract (1) API group and (2) resource. OBJECT

3. From URI extract Namespace. LOCATION

4. From authentication derive (1) User Name (2) Groups. SUBJECT. 

Note: For creating new object, the URI does not contain name of the resource. RBAC is NOT about a resource with specific name can be created or not. 

YAML

1. Role. 

It has namespace.
Rules. 
- VERB
- OBJECT = API group + Resource
Here resource are namespaced resource

2. RoleBinding

It has:
LOCATION = namespace 
Reference to Role = LOCATION + VERB + OBJECT
SUBJECT = Kind (user | group | service account) + name

Here suppose service account = sa in namespace myns then it is mentioned as
"serviceaccount=myns:sa"

If we want to specify all service account in the namespace then do NOT use "serviceaccount=myns:*" We shall use: "group=system:serviceaccounts:myns"

3. ClusterRole

It does not have namespace.It is global role. so can be used in all namespaces. 
Resource inside ClusterRole can be either (1) namespaced resource or (2) resource with cluster scope. E.g. Nodes, PV

RoleBinding can have reference to ClusterRole, instead of Role. 
Since RoleBinding has namespace, the ClusterRole is assigned locally to specific namespace only

4. ClusterRoleBinding

It does not have namespace. 

It has reference to ClusterRole
It grants permission globally. 

* So ClousterRole has multiple purpose
1. It is global role. It is used to grant permission to user A in namespace AA and user B in namespace BB. It is used in RoleBinding
2. It is for resource with cluster scope. E.g. Nodes, PV
3. It is used in ClusterRoleBinding to grand global permission. 
Note: namespaced permission and non-namespaced permission cannot be mixed in single cluster role.

* ClusterRoleBinding can be for
- cluster scope resource
- granting global cluster wide permission. 

Default Subjects
1. system:master is name of group. SUBJECT = user | group | service account. So group is SUBJECT
2. system:kube-scheduler , 
3. system:kube-control-manager, 
4. system:kube-proxy

kubelet runs with
5. username = system:node:"node name"
group = system:nodes
Here RBAC alone is not sufficient. So authorization mode is both: (1) RBAC and (2) Node. The Kubelet's client certificate is useful for (1) Node Authorizer and (2) Node Restriction Admission plugin

Note: In client certificate username is called CN (Common Name) and group is called Organisations

Default ClusterRole
1. cluster-admin is like super user
2. admin
3. edit
4. view
admin, edit and view are assigned for individual SUBJECT for specific namespace LOCATION
Resource aggregation is used for new CR and default role: admin, edit, view. 

Verb Expansion

List = List, Get, Watch
Update = Update, Patch

Subresource

HPA works on /scale subresource
controller works on /status subresource 

Federatoin
1 . define centrally and sync all local k8s cluster
2. webhook points to RBAC of other K8s cluster

Reference:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
https://www.youtube.com/watch?v=Nw1ymxcLIDI
https://github.com/liggitt/audit2rbac

CKA : K8s Core Concepts


Node-Controller monitor each node, with heart-bit every 5 seconds. With grace period of 40 seconds, the controller declared that the node is unreachable. After 5 min, the pods of unhealthy nodes are scheduled on other node.

Kubelet is not deployed by kubeadm

without pod, we need to create network between application container and sidecar container. We need to create volume and share with both containers. We need to monitor both containers.

Pycharm editor has very good support for YAML
- Audo indentation
- at bottom status bar, the format of present line in complete tree of YAML.
- off course syntax color highlighting.

Replicaset has selector. so it will take care of pods created earlier also.
Replica controller does not have selector->mathLabels
Replicaset selector choose from set of value
Replica controller choose pod when key, value matches.

After a pod of RS reached to ImagePullBackOff stage, even if you correct image name at RS.yaml file. no impact. you need to delete all pods of RS. RS will create new pod using correct image.

In the RS, these two values should be identical
spec->selector->matchLabels
spec->template->metadata-labels

RS and deployment has same YAML file. Deployment creates RS and RS creates pod.

To change namespace in kubectl the command is:

k config set-context $(k config current-context) --namespace=dev

ResourceQuota is for namespace.

Deployment should be created with "k create deployment" command then set replica count with "k scale" command. 

Scheduler consider following values from YAML
- affinity / anti-affinity
- nodeSelector
- taints / tolerations
- reservations / limits  



Imperative Commands with Kubectl


kuectl create command

service type name tcp=port:tragetport node-port
configmap fromfile fromliteral
secret generic fromfile fromliteral
rolebinding clusterrole serviceaccount role
clusterrolebinding clusterrole serviceaccount
role verb resource
clusterrole verb resource
cronjob image schedule
deployment image
job image from=cj name

kuectl set command

env RESOURCE/NAME  KEY_1=VAL_1 ... KEY_N=VAL_N
image (-f FILENAME | TYPE NAME) container=image
resources (-f FILENAME | TYPE NAME) ([--limits=cpu=CPU,mem=MEM & --requests=REQUESTS]
sa (-f FILENAME | TYPE NAME) SA_NAME

kuectl run command

run --restart==OnFailure --schedule="* * * * *" Job
--restart=Never pod
--generator=run-pod/v1 pod

Other commands 

kubectl delete pod POD_NAME --grace-period=0 --force 

kubectl annotate (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N 

kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N 

kubectl replace -f FILENAME 

kubectl logs --since=DURATION --tail=N --time-stamps=true

kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--type=type]

Here:
TYPE NAME = rc | deploy | pod | svc
type = ClusterIP | NodePort | LoadBalancer

1. kubectl run '--image=image [--env="key=value"] [--port=port] [--labels="key1=value1, key2=value2"] [--requests='cpu=CPU,mem=MEM'] [--serviceaccount=SA] [--command -- COMMAND] [args...]

2. kubectl run '--image=image [--env="key=value"] [--port=port]  --  [args...]

3. kubectl run '--image=image [--env="key=value"] [--port=port]

Reference:
https://kubernetes.io/docs/reference/kubectl/conventions/
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands

Minikube etcd


Here are my experiment with etcd and minikube

I ran below command

etcdctl --endpoints="127.0.0.1:2379" --cacert="/var/lib/minikube/certs/etcd/ca.crt"  --cert="/var/lib/minikube/certs/apiserver-etcd-client.crt"  --key="/var/lib/minikube/certs/apiserver-etcd-client.key"  member list

I got permission error for /var/lib/minikube/certs/apiserver-etcd-client.key
I used sudo, but i faced different error. 
So I copied the file and changed its permission. I could run following command: 

etcdctl --endpoints="127.0.0.1:2379" --cacert="/var/lib/minikube/certs/etcd/ca.crt"  --cert="/var/lib/minikube/certs/apiserver-etcd-client.crt"  --key="/home/manish/.etcd/apiserver-etcd-client.key"  member list

Instead of "member list" i could also able to run below commands

get --prefix /registry 

get / --prefix --keys-only

get --prefix /registry/events/default to dump events in default namespace. 

Same we we can get details of all pods, by
get --prefix /registry/pods/default  

and for specific pod 
get --prefix /registry/pods/"namespace name"/"pod name" 

with option -w json, we get json data, but values are base64 encoded. We can set value v1, for k1 using

etcdctl set k1 v1 // version 2 and
etcdctl put k1 v1 // version 3

We can add --limit="number" to limit output number of entries. 

Reference: 

https://medium.com/better-programming/a-closer-look-at-etcd-the-brain-of-a-kubernetes-cluster-788c8ea759a5#:~:text=In%20the%20Kubernetes%20world%2C%20etcd,handled%20by%20the%20Raft%20algorithm.

kelseyhightower Kubernetes The Hard Way


CFSSL consists of:
  • a set of packages useful for building custom TLS PKI tools
  • the cfssl program, which is the canonical command line utility using the CFSSL packages.
  • the multirootca program, which is a certificate authority server that can use multiple signing keys.
  • the mkbundle program is used to build certificate pool bundles.
  • the cfssljson program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk.
The cfssl command line tool takes a command to specify what operation it should carry out:
   sign             signs a certificate
   bundle           build a certificate bundle
   genkey           generate a private key and a certificate request
   gencert          generate a private key and a certificate
   serve            start the API server
   version          prints out the current version
   selfsign         generates a self-signed certificate
   print-defaults   print default configurations
Use cfssl [command] -help to find out more about a command. The version command takes no arguments.
Networking
gcloud compute networks : kubernetes-the-hard-way
gcloud compute networks subnets : 10.240.0.0/24
gcloud compute firewall-rules
1. tcp, udp, icmp : source-ranges 10.240.0.0/24,10.200.0.0/16
2. tcp:22,tcp:6443,icmp : source-ranges 0.0.0.0/0
gcloud compute firewall-rules list
Now, create public address
gcloud compute addresses
Compute
3 K8s controllers: 
controller-0: 10.240.0.10
controller-1: 10.240.0.11
controller-2: 10.240.0.12
POD CIDR : 10.200.0.0/16
3 Worker node
worker-0: 10.240.0.20 pod-cidr 10.200.0.0/24
worker-1: 10.240.0.21 pod-cidr 10.200.1.0/24
worker-2: 10.240.0.22 pod-cidr 10.200.2.0/24
TLS Certificates
TLS certificates for the following components: 
* etcd, 
* kube-apiserver, 
* kube-controller-manager, 
* kube-scheduler, 
* kubelet, and 
* kube-proxy.
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations).
Generate
1. ca.config file
Usage: 
"signing", 
"key encipherment", 
"server auth", 
"client auth"
2. Generate CSR JSON file
Output: Private key and Certificate for CA
3. Generate various CSR JSON files. Use CA key, CA key certificate, CA config file. 
Output Private key and Certificate 
3.1. Admin
3.2. for each worker node for kubelet. 
3.3  for kube-controller-manager
3.4 kube-proxy
3.5 kube-scheduler
4. Generate K8s API server certificate. 
For -hostname argument pass
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local, K8s master node public IP, K8s all master nodes' private IP addresses. 
5. Generate Service Account pair
scp
6. To Worker node copy (scp) the following files
ca.pem
worker-N-key.pem
worker-N.pem
7. To all master node, copy (scp) following files
ca.pem
ca-key.pm
kubernetes.pm
kubernetes-key.pm
service-account.pm
service-account-key.pm
client authentication configuration
The kube-proxy, kube-controller-manager, kube-scheduler, and kubelet client certificates will be used to generate client authentication configuration file, also known as kubeconfigs. It enables Kubernetes clients to locate and authenticate to the Kubernetes API Servers.
Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets. https://kubernetes.io/docs/reference/access-authn-authz/node/
1. Generate kubeconfig file for each worker node, with user name as system:node:workerN. The output is worker-N.kubeconfig
2. Generate kubeconfig file for the kube-proxy service. The output is kube-proxy.kubeconfig
3. Generate a kubeconfig file for the kube-controller-manager service. here server is 127.0.0.1 and output is kube-controller-manager.kubeconfig
4. Generate a kubeconfig file for the kube-scheduler service. here server is 127.0.0.1 and output is kube-scheduler.kubeconfig
5. Generate a kubeconfig file for the admin user. here server is 127.0.0.1 and output is admin.kubeconfig
To generate .kubeconfig file, we will use these three commands:
kubectl config set-cluster
kubectl config set-credentials
kubectl config set-context
Files for worker nodes:
  • worker-N.kubeconfig
  • kube-proxy.kubeconfig

Files for master nodes
  • admin.kubeconfig 
  • kube-controller-manager.kubeconfig 
  • kube-scheduler.kubeconfig

Data Encryption Config and Key
1. Generate encryption key with command
head -c 32 /dev/urandom | base64
2. Generate encryption-config.yaml file using that encryption key. 
Upload it on all three master node. 
Bootstrap etcd
On each master node
1. download and install etcd
2. copy these 3 files at /etc/etcd
ca.pem 
kubernetes-key.pem 
kubernetes.pem
3. Create /etc/systemd/system/etcd.service file. It opesn 2379 and 2380 port for etcd
4. Start etcd service
Bootstrap k8s-controller, K8s API server, K8s Scheduler 
On each master node
1. download and install 
kube-apiserver
kube-controller-manager
kube-scheduler
kubectl
2. Move all binary to /usr/local/bin
3. Move the following files to /var/lib/kubernetes/
ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem service-account-key.pem service-account.pem   encryption-config.yaml
kube-controller-manager.kubeconfig
kube-scheduler.kubeconfig 
4. Create .service file for each of them at /etc/systemd/system/
For API server specify etcd and other parameters
  --service-cluster-ip-range=10.32.0.0/24 \\
  --service-node-port-range=30000-32767 \\
We can configure nginx for healthcheck of any service. Copy kubernetes.default.svc.cluster.local file at /etc/nginx/sites-available/
server {
  listen      80;
  server_name kubernetes.default.svc.cluster.local;
  location /healthz {
     proxy_pass                    https://127.0.0.1:6443/healthz;
     proxy_ssl_trusted_certificate /var/lib/kubernetes/ca.pem;
  }
}
RBAC for Kubelet Authorization
Let's set the Kubelet --authorization-mode flag to Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization.
1. Create the system:kube-apiserver-to-kubelet ClusterRole with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
2. Bind the system:kube-apiserver-to-kubelet ClusterRole to the kubernetes user:
It is sufficient to run on any one worker with kubectl
K8s Frontend LoadBalancer
Bootstrapping the Kubernetes Worker Nodes
1. First install
socat conntrack ipset
The socat binary enables support for the kubectl port-forward command.
2. Turn off swap
sudo swapoff -a
3. download and install 
critools (cri-ctl)
runc, container networking plugins, containerd, kubelet, and kube-proxy.
4. Installation directory 
  /etc/cni/net.d \
  /opt/cni/bin \
  /var/lib/kubelet \
  /var/lib/kube-proxy \
  /var/lib/kubernetes \
  /var/run/kubernetes
5. Create network configuration file at /etc/cni/net.d/
10-bridge.conf
99-loopback.conf
6. configure containerd service
7. configure Kubelet
8. configure kube-proxy
9. Start services: containerd kubelet kube-proxy
Configuring kubectl for Remote Access
Use the following commands
kubectl config set-cluster  // --certificate-authority=ca.pem
kubectl config set-credentials // --client-certificate=admin.pem  --client-key=admin-key.pem
kubectl config set-context // --user=admin
kubectl config use-context 
Provisioning Pod Network Routes
Add route for pods CIDR on each node, with destination as node's IP address. 
Deploying the DNS Cluster Add-on
https://storage.googleapis.com/kubernetes-the-hard-way/coredns.yaml